Posted
by
timothy
on Thursday February 25, 2010 @04:50PM
from the to-err-is-corporate dept.

CWmike writes "Microsoft withdrew on Thursday its demand that Cryptome.org yank the 'Microsoft Global Criminal Spy Guide' document from the site, and said it had never intended for the whistleblower's domain to be knocked off the Web. 'In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed,' said a Microsoft spokeswoman. 'We are requesting to have the site restored and are no longer seeking the document's removal.' The document, a 17-page guide to law enforcement on how to obtain information about users of Microsoft's online services, including its Windows Live Hotmail, the Xbox Live gaming network and its Windows Live SkyDrive storage service, was published by John Young, who runs Cryptome.org, on Feb. 20. Earlier this week, Microsoft demanded that Young remove the document from his site, citing the Digital Millennium Copyright Act. When Young refused, his Internet provider shut down the site, and Network Solutions, the registrar of Young's domain, put a 'legal lock' on the domain name. The last prevented him from transferring the URL to another ISP. Computerworld blogger Preston Gralla dug into the document today in his 'Leaked Microsoft intelligence document: Here's what Microsoft will reveal to police about you' post."

While I completely agree that using DMCA to pull of the site is an asshole move, the documents also gave reassurance about privacy policies used in those services, mainly that MS isn't logging chat between people in Messenger and that when you move the email from their servers to your local computer email box, it isn't kept on MS servers. While in contrast, in my understating, for example Google keeps even deleted email somewhere in their networked file system for many many months.

I actually like to see more of these from different companies. Most interestingly, Facebook has a lot personal data. And what about Google? Yahoo?

If anything, such openness is good for MS in this case (even while they don't seem to agree to it, until now that it's leaked).

I should have added that Yahoo had tried taking down their lawful spying guide but wasn't as "successful" as Microsoft. I say "successful" because Microsoft claims they only wanted to take down the document and not the website. However, it resulted in the takedown of the website and thus generated much more interest in the document and had the opposite effect of what they wanted.

Thankfully for us most corporations and governments don't realize this. If MS had done nothing the majority of people would have never read this because most people don't visit cryptome or other whistleblowing websites on a regular basis.

Thankfully for us most corporations and governments don't realize this. If MS had done nothing the majority of people would have never read this because most people don't visit cryptome or other whistleblowing websites on a regular basis.

I'm not sure it's that they don't realize it. I think it's more complicated than that. First of all, corporations and governments don't "realize" anything, as they are not alive. Anthropomorphizing them leads to errors in analyzing and responding to their actions. "Punishing" them or getting angry at them is a mistake, as they have no feelings.
What is probably happening is that individuals within the corporation responsible for hunting down violations of copyright are not particularly tuned in to the idea of freedom of information for some reason. The only counter-valence to this would be if there were other individuals reviewing their actions who ARE sensitive to that issue or at least the politics of that issue.
This reminds me of the interplay between risk managers and floor traders in large banks, or engineers and managers in large companies, or lots of other examples.

True... I think this can show how using the DMCA can have (un)intended consequences. Maybe the had hoped to shut them down without generating much negative publicity. When this backfired they had to go into spindoctor mode and fix it.

If anything, such openness is good for MS in this case (even while they don't seem to agree to it, until now that it's leaked).

The Microsoft documents got leaked (by who? hmmmm), they look pretty favorable and make Google + associated sites look bad... but they were leaked out on a nowhere site so didn't get good publicity. Lo and behold, Microsoft throws a DMCA takedown notice and the Streisand effect turns the leak into a flood.

But I'm probably just a paranoid conspiracy theorist. The leak coming almost immediately after MS & Yahoo got such great publicity for their privacy policies is most likely a co-incidence. And I'm sur

While in contrast, in my understating, for example Google keeps even deleted email somewhere in their networked file system for many many months.

All MS said is that law enforcement can't have e-mail that isn't active in your account.That isn't the same thing as "we delete everything".I'm not sure any large e-mail provider can promise that your deleted e-mails are instantly deleted from all backups/mirrors.

While in contrast, in my understating, for example Google keeps even deleted email somewhere in their networked file system for many many months.

All MS said is that law enforcement can't have e-mail that isn't active in your account.
That isn't the same thing as "we delete everything".
I'm not sure any large e-mail provider can promise that your deleted e-mails are instantly deleted from all backups/mirrors.

At the same time large e-mail providers are way too lazy and cheap to have someone dig that stuff up for any reason unless they admit/you can prove they screwed up somehow and you want it back.

[...] the documents also gave reassurance about privacy policies used in those services, mainly that MS isn't logging chat between people in Messenger and that when you move the email from their servers to your local computer email box, it isn't kept on MS servers. While in contrast, in my understating, for example Google keeps even deleted email somewhere in their networked file system for many many months.

Or maybe this "leak" was to make you believe that MS doesn't log everything and keep it around for m

Forgetting the rant about pot, what you are saying is that if you are a fugitive, currently traveling the country to avoid detainment, the police shouldn't be allowed to track you by your Xbox? Me, I'd be more worried about my C/C, bank account, cell phone, liscence plate, passport, email, photo on the evening news.

It is perfectly OK for law enforcement to track people by using public/private resources. As long as they have proper reason/warrants.

Please note I consider the outlawing of marijuana (or any other plant) to be a violation of the Tenth Amendment in our Bill of Rights. Therefore I don't consider users to be criminals because I consider the U.S. Prohibition Law to be null.

You and I may have our own opinions, but it is not for Microsoft (or, indeed, any other company) to argue the validity of law when a judicial warrant is served to them.

Ok, as I understood California or some other state had it legalized for medical use. Guess US federal law goes over that.

It's also completely criminalized where I live, but doctor in combination with the medical agency can give special permission to use it for medical use (in which after they can buy it from their own local drug store). It's not widespread, but apparently a few people with injuries from serious accidents and such have got the permission. I don't see anything wrong with that though.

That doesn't make any sense. If you are performing some illegal activity then Microsoft (or anyone else) is fully within their rights to cooperate with law enforcement in tracking you down (assuming there is a warrant, of course). That is not abuse; that is the way the system should work. If you have a problem with the law then get the law changed; don't cry about it being enforced.

A lower law says it's illegal, a higher law says the lower law is illegal. Getting that lower law overturned can take decades

Still makes me wonder why the guy got both domain and hosting from the same place. There has been countless of cases with such issues before, either for the host locking domain too (like here) or giving trouble if you want to move hosting elsewhere but keep the domain. Network Solutions, like GoDaddy's, main business is domain registration anyway, not hosting.

Get the domain from a reputable registrar and then hosting from reputable hosting company.

A whois [domaintools.com] on the domain indicates it's old enough that it was created when Network Solutions was the only real registrar available. Remember, in the 'old' days Network Solutions had a monopoly granted it by the NSF to run the 'American' domains. While 1999 was just at the cusp of the change over, it was still a long while before Network Solutions was finally forced to play fair and real alternatives to them that people could trust showed up.

Permission is not required in the instance of fair use. In this case, he was distributing something that was technically copyrighted, but is not in itself a commercial product, and was clearly distributed for the purpose of commentary, criticism, and public interest. Fair use is ultimately only determined by a court case, but those are all strong factors in favor of it.

It doesn't take going to court to be in violation of the law, just to be proven so.

Wow, this sounds nutty. Proven how and to whom? In the newspapers? For a legal action to be taken, I thought a court was required, unless we are talking about legally appointed officials such as police officers, and I don't think a domain registrar qualifies, despite their official-sounding name.

Just because you feel it's inappropriate for a company to "hide" information, doesn't make it right to break copyright laws.

Actually it kind of does. Copyright laws are there to prevent companies from losing profit to competitors and have their ideas stolen, to provide an incentive for the marketplace of ideas to work. It is NOT there to protect corporate secrecy.

Ceasing to host the site is one thing, and, yes, they might argue that they were required to do so under DMCA. Locking the domain name registration is a different action that is not required by the DMCA.

The DMCA requires that if an alleged copyright owner alleges that specific material on a site infringes their copyright, the web hosting provider needs to disable access to that specific material, unless notified by the user that he disputes the allegations of the alleged copyright owner, and there are some detailed timelines for the actions. It doesn't require that the web hosting provider disable the whole website, or that the domain name registrar prevent the domain owner from changing the IP addresses for the website, or that either the web hosting provider or domain name registrar erase all backups, destroy the hardware with thermite, shoot the user's dog, or nuke the city from orbit.

Unless I'm misreading the correspondence that was posted on Cryptome's backup site, Microsoft asked Young's web hosting provider, Network Solutions, to disable access to one specific file under the DMCA, and Network Solutions, as the hosting provider, decided on their own to disable the entire cryptome website, and their evil twin, Network Solutions the DNS Registrar, decided on their own to place a lock on the domain name. I don't know if Netsol-the-registrar's contract with ICANN lets them do that, but I'd be surprised -this isn't a trademark dispute about the name cryptome, it's a copyright dispute about material on the site.

The DMCA deadlines haven't expired yet, so Network Solution's Other Evil Twin, Cthulhu Inc, have not yet completed the aforementioned other activities and slunk back in to the ocean, but it's possible they'll do it anyway just for fun.

Honestly, I read through the leaked document. I can't figure out why this wasn't just published on Microsoft's site. There isn't anything shocking in the document, just an overview of what US law (under the 9th circuit's interpretation) requires and what information is retained by Microsoft. If you look at page 22 of the document, they basically say "here's what the law says you have to do before we can turn this information over to you."

Tin foil hat on. Reverse Psychology/Social Engineering of Nerds. MS wants you to think that it was leaked on accident and then shows feigned ignorance of the Streisand effect; except that the Streisand effect is actually the method to get the misinformation out. Tin foil hat off.

It's either [disable the site], or be liable themselves for any infringement.

You are incorrect, in my non-lawyer's opinion from what I know of the DMCA.

The owner of cryptome.org sent a DMCA counter-claim, under penalty of perjury. This means he acknowledges the accusation and bears the responsibility. NSol cannot be held responsible, and is granted immunity from prosecution by the DMCA. MS cannot file another DMCA claim at this point; they can only take him to court.

The owner of cryptome.org sent a DMCA counter-claim, under penalty of perjury. This means he acknowledges the accusation and bears the responsibility. NSol cannot be held responsible, and is granted immunity from prosecution by the DMCA.

You're broadly correct, but the devil is in details. Going by DMCA, the service provider cannot re-enable access to the content in question - they first have to inform the copyright claimant of the counter-claim, and then wait for no less than 10 and no more than 14 days for the claimaint to file the lawsuit. Only if the lawsuit isn't filed during that period, can the service provider re-enable service. Wikipedia explains this [wikipedia.org] on a simple example. And this is precisely what Network Solutions did - this was

I'm no fan of Microsoft, but I think they've handled this whole situation correctly.

There's no indication that the document in question was *not* copyright by Microsoft. In this case, the correct legal action is a DMCA, same as if you had a movie up on your site. NetSol is just being a dick, as usual - it's not their responsibility to screw with the domain over the dispute between 2 third-parties unless legally required to (I don't think that's the case here).

In any case, when Microsoft saw how this was about to go all Streisand on them, they decided correctly that it wasn't worth the fight.

I believe them when they said they didn't intend to take Cryptome down. Looks like it was just NetSol being... proactive. So really the only thing they'd be at fault for was sending a DMCA, which is clearly within their rights. They probably have underlings scouring the web and sending DMCAs - so they were probably not delibrately targeted. When it had unintended consequences, they withdrew it.

I don't think MS is at fault here. I actually think they acted quite exemplary.

I think you're on the wrong site. I mean that was a well-reasoned, even-keeled reply in a Microsoft article. Are you sure you're supposed to be on slashdot?

In any event, I agree. I don't approve of the DMCA as it currently exists, but it certainly wasn't being abused in this instance, and Microsoft withdrew it quickly after Cryptome was knocked off. *shrug* Story's pretty much over.

It seems pretty clear to me that some lawyer at Microsoft screwed up. I do not think that this was a justified use of the DMCA. Just because Microsoft quickly withdrew it does not make the original action proper. The DMCA is for preventing the copying of things that a company offers for sale.

This document, I would say, is more of a trade secret than a work you can seriously copyright.

Just because it's within their legal rights doesn't mean it's the right thing to do. I'll bet that lawyer has a lot of splainin' to do to the boys upstairs about this egg on their face. The document was leaked, and the DMCA was never intended as a censorship tool, so abuse of it really hits Microsoft in the reputation department. That's why there's this quick turnaround on spinning things.

It's not censorship. There is a big difference between keeping one's own secrets, and preventing the publication of someone else's work.

Of course, like any word in any language, the meaning isn't completely clear-cut, but I do not believe that this is censorship. If someone else wrote what they knew about Microsoft's practice, and MS somehow got that taken down, I suppose that could be considered censorship. But in this case, it was a document that Microsoft wrote so they can do what they will. If it was th

The thing is if it's a secret, keep it secret. The DMCA is not supposed to be used to prevent spreading of secrets. You can pound a nail in with a screwdriver, but you're more than likely gonna break the screwdriver and screw up the nail. Not to mention that there are numerous other precedents for this being a newsworthy publication of the article. Whistleblower laws and the like exist for a reason... because sometimes shit is wrong, and you need to leak it to get the info out. The DMCA is not an end-run ar

I'm pretty sure that the DMCA (and copyright in general) applies to more than things that can be sold. If I write poetry and put it on my blog, and someone yoinks it, or someone puts my home videos on youtube, I believe I can send a takedown request.

No matter the nature of the document is was copyrighted material. Even that it galls me to say it, Microsoft didn't do anything wrong legally in this instance. They did everything by the book. I'm amazed at Microsoft pulling back as quickly as they did from it. Even through they didn't have to.

Network Solutions is the villain in this. All they were legally required to do was to stop access to a single file on cryptome.org. They went far beyond what they needed to do. They yanked the entire domain which dow

And it wouldn't have been an issue of Young had written up his own description of what Microsoft did. If you took a look at the document in question, you'd see it's not just a plaintext list of steps that can't be communicated using different wording. As such, the document has it's own style, and literary content. It'd would not have been an issue if young had made a post that said.. Hey, I've seen an official document that says that they

not sufficient... to justify saying that this is uniquely Microsoft's property

Does any other company have exactly the same document, word for word? And if that was the case, we wouldn't need/want to see their document anyway. If it wasn't unique, who cares if we see it or not.

it's a step-by-step description of their legal obligations under U.S. law

It's not. If you want that, read the law. It's their interpretation of it. There is no law (that I know of) saying that have to make their interpretation public. And if it was what you say it is, again their is no law, or obvious moral obliga

That being said. I do agree that Microsoft, should have that document available on their site. I just don't believe that they have any legal obligation to do so. And whether or not there is a moral obligation is arguable, and therefore needs a proper argument.

Perhaps not at fault (though when PR says "we didn't do anything" you never know if there was a nudge, nudge, "if you want our business I think you know what we want" message to NetSol). Regardless, NetSol sure is at fault!

I actually think they acted quite exemplary.

Whoah! You're saying that it is exemplary for a company to actively hide from users the steps it will go through to give personally identifying information about those users to law enforcement? This is only "exemplary" as an example of what not to do. One of John Young's points was that there isn't a legitimate reason to hide this information from users; many other companies do not hide this information, and neither should Microsoft.

Considering just about every big internet company, heck company, has a law enforcement guide so law enforcement knows who to call in emergencies (like kidnappings) or format subpoena and search warrants for more routine matters, it seems silly to single out Microsoft for this. No company wants to have their law enforcement procedure out in the open.

DMCA takedowns follow a very clear an explicit process on what providers haveto do and how... as I understand it, "locking out" the domain at the registrarlevel is far beyond both the spirit and the letter of the law.

Microsoft finally has the competition it needs in areas outside of their "core business PC" market to make them need to have a decent image.

Specifically they want to be competitive in search, social networking, on-line gaming and other areas that kinda-sorta require the trust of their end users. If your end users don't trust you, and they have options, they'll just go somewhere else. This story was making it look like Microsoft had something to hide with this law enforcement guide (which it actually doesn

Well, I'll try to explain it. Microsoft creates some feel-good document which makes it look like they aren't collecting personal information in terrifying quantities. This document somehow "leaks." Microsoft files a DMCA takedown. NetSol overreacts. Microsoft steps in and says "We didn't mean for THAT to happen, and by the way, you can keep the document."

End result? Microsoft makes another company look like an ass, makes itself look reasonable, and gets a document out there that paints a rosy picture of per

Now more likely you just have a really active imagination. Your conspiracy theory is lacking a couple of key motivators. You forgot the part where the NSA was secretly wiretapping the internet connections of a bunch of "internet activists" (be sure to throw in some corresponding, FBI supported real world physical surveillance). Their unConstitutional surveillance measures revealed the danger of the extent of their "real" (in your story) activities were about to be revealed. They made a phone call, and in a back room some guy flipped the magic influence coin. This time it came up heads, Microsoft instead of tails, Google (both are owned by the NSA you know). They sent Jack Bauer out to gather up the appropriate Microsoft personnel and "do whatever it takes" (because that's what Jack Bauer does) to make sure that they first leak, then retract the doctored version of the document regarding their evil menu of law enforcement options.

The chain of events is nothing newsworthy.
1. Microsoft claims copyright on its internal guide.
2. Microsoft sends DMCA takedown letter... site refuses.
3. Microsoft sends DMCA takedown to server provider, server provider must take on the liability or take down the whole server, server provider decides to down site.
What's newsworthy is that Microsoft is now saying "sorry" and letting the document stay up now. If you didn't know there was a law enforcement back door in everything Microsoft does, well, here's your proof.

If you didn't know there was a law enforcement back door in everything Microsoft does, well, here's your proof.

Actually I would say that the documents indicate almost the opposite.

They'll give you information that MS has on the servers, but not information that's just on your XBox. To wit: 'Be aware that users may also store e-mail content on their computer's hard drive. Microsoft will not be able to disclose e-mail content stored on a user's computer --- only e-mail content stored on Microsoft's e-mail ser

Calling this a 'back door' is a bit disengenuous. That's data that Microsoft has collected about you, through your use of their services. If a law enforcement agency has the appropriate request (supoena or warrant, etc), then it's either "provide a way for them to collect it, in such a way that protects every other user of the service from undue scrutiny" or "let them walk in and take the servers, and screw everyone"

You're making a big mistake if you think that law enforcement agents won't do the latter if you refuse to give them the former.

MS wants to suppress one file, JY refuses, MS sends DMCA letter to Netsol requesting taking down the one file. That's mildly newsworthy because it's cryptome and MS, but that's not the big event. Netsol took down the whole site, not just the one file, which is especially newsworthy because of the importance of cryptome and because it exceeds their requirements, and then Netsol the Registrar locked the domain name, which isn't at all required, and is newsworthy because they're locking domain names for non-domain-related reasons.

And MS is saying "sorry" not only because JY asserted his rights to dispute the DMCA takedown and thousands of people yelled at MS, but because MS is getting blamed for Netsol's overkill overreaction.

This stuff shouldn't be shocking to anyone: By law, they will reveal certain things about online services when requested. The problem should be that they don't want you to know what they are forced to give up which seems to be the wrong stance. These services should be function like a bank safety deposit box: Although private, it isn't legally sacrosanct and will be opened by third parties for inspection in certain circumstances.

If nothing else, all of these online services to have a general policy about this as well. If I suddenly croak, who gets access to stuff I stored out there online? Putting the password and other access information in a vault somewhere isn't reliable or sane. I may even state it in my will that I want my immediate family to take ownership of all of my online information but I have no idea how to compel Microsoft or Google or whatever to release these accounts to someone else. This seems like one of those areas all service providers should be better at defining instead of hiding the detail from us in the legalese of the EULA.

As was posted in previous comments, I also don't think the document is really anything to cry home about. The truth is, reviewing the document left me a bit more comfortable. They clearly spelled out what they did and didn't track, and I actually found out that they track less than I thought they did.

What the deal is... is that they probably view this as a 'trade secret'. You know how companies are. Actual sales numbers are trade secrets. How many packages they can fit in a truck is a 'trade secret'.

So when internal processes were shown, they reflexively DMCA'd it because it was an internal document.

When the provider stepped over their bounds, MS correctly officially backed off and told the ISP and everyone to restore everything. Because it prevents them getting Streisand'd over what ultimately amounts

I do not know if the posting document would be covered by fair use or not. But copyright law does not protect facts or ideas, only the particular expression of ideas. It seems to me that a paraphrased version would be perfectly legal. This makes copyright law a poor vehicle to enforce secrecy.

DMCA takedown provisions don't say take down the entire site. The DCMA ways to deny access to the contested content. In this case it was ONE file on a very large web site.

They way a take down is supposed to work is this.1) Copyright holder sends DCMA take down notice to the hosting company.2) Hosting company to get a legal safe habor must deny access to the material specified in the take down notice.3) The party that posted the material can file a counter-notice to the service provider.4) The server provider then must restore access to the contested material within a period of 10-14 business days.5) During that 10-14 period allowed the copyright to go to a court and request a Temporary Restraining Order to keep the contented material offline. And then file a lawsuit against the party which posted the material online.

The idea is allow the material to removed quickly from the Internet by the copyright holders to theoretically reduced the damage. And the take down period for the copyright holder to get the restaining order to keep the material offline. And the counter-notice is to notify the hosting provide to say "I'm in the right, put that material back up." And the hosting provider is off the hook from any copyright liability.

DMCA provisions do require taking down at least part of the site (the offending material). Apparently you didn't read the notification for Network Solutions to Cryptome, because their policy is indeed to take the option of downing the whole site.

Also, I would like to make you aware that in accordance with the DMCA, upon receipt of a Counter-Notification from you, Network Solutions will disable your site for "not less than 10 days, nor more than 14 business days following receipt of the Counter Notification. During this time, the complaining party must initiate litigation. In the event that Network Solutions does not receive notice of litigation within the allotted time frame, your site will be reactivated.

Microsoft got caught taking unwarranted action against a well known website. Now they're claiming that they never intended to do that and that the information in question isn't really protected.

Anyone who believes that this means Microsoft has turned over a new leaf needs to go back to the school of hard knocks and learn about "spin", "doublespeak" and "marketing". If you think that they would back off like this if the general public DID NOT know what transpired then don your pointy hat and go sit in the co

Way to completely mischaracterize the situation. This has nothing to do with Microsoft and everything to do with the DMCA and shitty web hosts. The same thing happened my website over a copyright dispute with another individual. GoDaddy suspended my domain instead of just blocking the content. Trying to pin this on Microsoft is pathetic.

I'm not interested in being a "slashdotter," I'm fine as me, thank you very much. I don't follow a creed but my own. I don't march to anybody's drumming but mine. And despite my presence here, I certainly don't associate myself with a non-existent entity in order to feel accepted.

And I have read the relevant texts and made a judgment call that Microsoft is most likely not at fault. Even if say, somebody within MS had put pressure on NetSol to lock the domain, the fact t

tin_hat_mode_on
Hmmm this is too convenient... maybe MS wanted the document to "leak", giving false assurances to the masses? In actuality, they are logging every single bit that passes through!tin_hat_mode_off
nah... couldn't happen... or could it?
How could a document like this "leak" out? By whom? A law enforcement agency employee? A Microsoft employee? The document is actually pretty benign - it basically states that the data logged is that which is also logged by every web server in existence, nothi

The document had already gotten out into the wild. That it was restricted only made it more popular and there were plenty of places to get it besides Cryptome. All MS was doing was generating more bad publicity for itself.